Business Handbook
Legal & Compliance · 5 min read

Do You Need To Register With the ICO?

If your business handles personal data — and most do — you probably need to pay a data protection fee to the Information Commissioner's Office. Here's how to check, and what to do if you do.

What Is the ICO?

The Information Commissioner's Office (ICO) is the UK's independent regulator for data protection and information rights. It's responsible for enforcing UK GDPR and the Data Protection Act 2018 — the laws that govern how organisations handle personal data.

The ICO has the power to investigate complaints, carry out audits, issue enforcement notices and impose fines for serious breaches. It also provides guidance to help organisations understand their obligations — and it's generally the first place to go if you have a question about data protection compliance.

What Is the Data Protection Fee?

Under the Data Protection (Charges and Information) Regulations 2018, most organisations that process personal data must pay an annual data protection fee to the ICO. This is sometimes called "ICO registration" — though technically you're paying a fee rather than registering in the traditional sense.

The fee funds the ICO's work. It's separate from GDPR compliance itself — paying the fee doesn't mean you're compliant with GDPR, and being GDPR-compliant doesn't mean you don't need to pay the fee. They're two different things.

How Much Does It Cost?

The fee is tiered based on the size of your organisation:

T1

Tier 1 — £52/year

Micro organisations: fewer than 10 staff AND annual turnover or balance sheet total of no more than £632,000. This covers the vast majority of small businesses and sole traders.

T2

Tier 2 — £93/year

Small and medium organisations: fewer than 250 staff AND annual turnover or balance sheet total of no more than £36 million.

T3

Tier 3 — £2,900/year

Large organisations: 250 or more staff OR annual turnover or balance sheet total above £36 million.

There's a £5 discount if you pay by direct debit, bringing Tier 1 down to £47/year. The fee is renewed annually.

Who Is Exempt?

Some organisations are exempt from paying the data protection fee. The main exemptions are:

  • You only process personal data for personal, family or household purposes (not business)
  • You're a not-for-profit organisation that only processes data for its members, supporters or beneficiaries, and doesn't share it with third parties
  • You only process data for staff administration, advertising your own business, or keeping accounts — and you're a sole trader or small partnership with no employees
  • You're a maintained school, academy or free school
  • You process data only for the purposes of judicial functions

The sole trader exemption is narrow. If you're a sole trader with no employees and you only process data for your own business administration (keeping accounts, advertising your services), you may be exempt. But if you hold a customer database, send marketing emails, or use a CRM, you almost certainly need to pay the fee. When in doubt, use the ICO's self-assessment tool to check.

What happens if you don't register?

Failing to pay the data protection fee when required is a criminal offence. The ICO can issue a fixed penalty notice of up to £4,000, plus a prosecution fine of up to £500. In practice, the ICO usually contacts organisations first and gives them the opportunity to pay before taking enforcement action — but it's not worth the risk. At £52/year, it's one of the cheapest compliance requirements you'll face.

How To Register: Step by Step

01

Check whether you need to register

Use the ICO's self-assessment tool at ico.org.uk to confirm whether you need to pay the data protection fee. It takes about 2 minutes.

02

Create an account on the ICO website

Go to ico.org.uk and create an account. You'll need your organisation's name, address and contact details.

03

Complete the registration form

You'll be asked about the type of organisation you are, the number of staff you have, and your annual turnover. This determines which tier you fall into.

04

Pay the fee

Pay online by debit or credit card. Most small businesses pay £52 (Tier 1). You can also set up a direct debit for annual renewal.

05

Receive your registration certificate

The ICO will send you a registration certificate by email. Keep this safe — you may be asked to provide it by clients or as part of contract requirements.

Renewing Your Registration

The ICO will send you a reminder when your registration is due for renewal. If you pay by direct debit, it renews automatically. If you pay manually, make sure you don't let it lapse — processing personal data without a valid registration (when one is required) is an offence from the day it expires.

Related guidance

ICO registration is just one part of GDPR compliance. See our full guide for everything else you need to have in place.

GDPR for Small Businesses: What You Actually Need To Do GDPR Compliance pathway GDPR Handbook

Disclaimer: This guide is for general information only and does not constitute legal or financial advice. Always check current HMRC guidance and seek professional advice where appropriate.

← Back to all articles